PHP black magic we learned in those years

Source: Internet
Author: User
Tags ereg sha1 encryption

PHP black magic we learned in those years

Collation

Here we must talk about the importance of = and =. = Is a comparison operation. It does not check the type of conditional expressions === is constant. It checks whether the value and type of the query expression are equal to NULL, 0, "0 ″, when array () is compared with = and false, true is returned, but = is not the basic knowledge point that everyone should know, I will not discuss it again below.

Array

0x01 many times, PHP arrays play a crucial role. Let's take a look at a question in bosten keyparty:

if (isset($_GET['password'])) {    if ($_GET['password'])        print 'Your password can not be your name.';    else if (sha1($_GET['password']))        die('Flag: '.$flag);    else        print 'Invalid password';}

To solve this problem, we must first ensure that the values of name and password cannot be the same. Secondly, the values of name and password after sha1 encryption must be exactly the same, in this case, a [0] = 1; therefore, the first judgment can be skipped if name [] = 1 is compared with password [] = 2. If sha1 is used to encrypt an array, the return value is NULL, NULL = NULL, which is true. Therefore, two arrays are constructed and the flag is obtained successfully.

0x02 let's look at another question on bosten keyparty:
 

if (isset($_GET['password'], flag);     else         print 'Invalid password'; } 


Here, use strcmp to compare password and flag. If it is equal to 0, the flag is given. However, if it is equal, 0 is returned. If it is not equal, it must be greater than 0, either less than 0, but strcmp only processes string parameters. If an array is given, NULL is returned, and = is used, NULL = 0 is bool (true), so this question is still constructed as an array

Another question on 0x03bosten keyparty:

if (isset ($_GET['password'])) {     if (ereg ("^[a-zA-Z0-9]+$_GET['password']) === FALSE)         echo 'You password must be alphanumeric';     else if (strpos ($_GET['password'], '--') !== FALSE)         die('Flag: ' . $flag);     else         echo 'Invalid password'; }


There are two ways to use this question. Let's say that the array ereg is used to process strings. So, according to the principle, we construct an arr [] by Using password. After passing in, ereg returns NULL, === judge NULL and FALSE, which are not equal, so you can enter the second judgment. strpos also returns NULL when processing arrays. Note that here is! =, NULL! = FALSE, the condition is true, and the flag is obtained. The second method ends when ereg reads % 00, so the s % 00 -, you can also get the flag (is this a black magic? Haha)

Comparison of numbers

0x01wechall:
 

function noother_says_correct(one = ord('1');        $nine = ord('9');        // Check all the input characters!        for (i < strlen(i++)        {                // Disallow all the digits!                number{digit >= digit <= $nine) )                {                        // Aha, digit not allowed!                        return false;                }        }       return $number == "3735929054";}


Here, it does not allow the input of numbers ranging from 1 to 9, but it makes a string of numbers later. The common method is definitely not feasible. We all know that the hexadecimal conversion in the computer, of course, it can also be used for comparison. The prefix of 0x indicates hexadecimal notation. After converting the string of numbers into hexadecimal notation, it is found that it is deadc0de, and 0x is added at the beginning, it indicates that this is a hexadecimal number, and then compares it with the decimal 3735929054. The answer is of course the same. Return true to get the flag.
0x02 let's look at a question about Bao MEI:
 

_SERVER['REQUEST_METHOD']){    _POST['password'];    if (0 >= preg_match('/^[[:graph:]]{12,}password))    {        echo 'Wrong Format';        exit;    }    while (TRUE)    {        $reg = '/([[:punct:]]+|[[:digit:]]+|[[:upper:]]+|[[:lower:]]+)/';        if (6 > preg_match_all(password, c = 0;        $ps = array('punct', 'digit', 'upper', 'lower');        foreach (pt)        {            if (preg_match("/[[:password))                c        if ("42" == flag;        else echo 'Wrong password';        exit;    }}
On wooyun zone, X has always analyzed it.

It's a mathematical thing .. 42.00e + 0000000000,10 to the power of 00000 .. 42.000000 .... The result is actually 42, but sometimes these things have a miracle, isn't it ..

Switch does not have break

There is a question on wechall:

if (isset(which = which)        {        case 0:        case 1:        case 2:                require_once $which.'.php';                break;        default:                echo GWF_HTML::error('PHP-0817', 'Hacker NoNoNo!', false);                break;        }}

Let's include the solution file in the current directory. Here we will find that there is no break in case 0 and case 1. According to the general thinking, It should be 0, and the comparison fails, then compare 2, and then enter default, but this is not the case. In fact, when case 0, the method body of case 0 is entered, but there is no break. At this time, by default, the judgment is successful. If the matching is successful, the subsequent statement will be executed. At this time, no further judgment will be made. That is to say, when we pass in solution through which, case 0 enters the method body, but there is no break. By default, the matching is successful. If the result is no longer judged, require_once solution is executed. php, after reading the information, I found that this black magic is inherited from the C language, paper transmission array: transmission array

Summary

So far, the interesting php black magic that I have ever met is just like this. If you have other cool trick or cool dark magic, let's talk about it, invisible installation, the most fatal, touch big.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.